Step 3: Upload the Certificate to FortiNAC

Once the certificates are received from the CA, upload them to the applicable FortiNAC certificate targets (Admin UI, Captive Portal, Persistent Agent, RADIUS).

• If the certificate files were a result of a CSR generated by FortiNAC, the files must be installed on FortiNAC for the target used to generate the CSR.

• If the Certificate was generated elsewhere, then a private key must be provided with the certificate. Important: The private key cannot be password protected and must be in RSA format. To verify, see related KB article Convert SSL private key to RSA format.

  Tip: If using the same certificate for multiple targets (Admin UI, Portal, Persistent Agent, etc), first install certificate in a target that’s easy to validate (such as the Admin UI). Once validated, the files can be copied to the other targets.

Upload the valid SSL certificate to the appliance when the certificate file is returned from the CA. Certificate files can be returned to you in one of several configurations. Depending upon the CA, one or multiple certificate files may be returned.

1. Save the file(s) received from the CA to your PC.

2. Select System > Certificate Management.

3. Click Upload Certificate.

4. Select the target where the certificate will be uploaded. If the certificate files were a result of a CSR generated by FortiNAC, the files must be installed on FortiNAC for the target used to generate the CSR.

   Admin UI

   Local RADIUS Server (EAP)

   Persistent Agent

   Portal

   RADIUS Endpoint Trust

5. For the Private Key, select the appropriate drop-down menu option:

   • Select Use Private Key from Last Generated CSR if the files received were due from generating a CSR in FortiNAC (certificate target must be the one used to generate CSR).

   • Select Reuse Private Key from Existing Certificate to use the private key for the certificate currently in use. This option is for renewing an existing installed certificate.

   • Select Upload Private Key to upload a key stored outside FortiNAC. Click Choose to find and upload the private key.

6. Click the + button to find and select the certificate to be uploaded. Users can also upload CA certificates and CA bundles. Note: Repeatedly use the + button to add all the certificate files needed.

   Important: Upload any relevant intermediate certificate files needed for the creation of a complete certificate chain of authority. The Certificate Authority should be able to provide these files. Without a complete certificate chain of authority, the target functionality may produce error/warning messages.

7. Click OK.

8. If the Certificate was successfully installed, you will be prompted to restart the target’s services. Note: Only the service specific to the target is restarted. General FortiNAC operation is not interrupted.

   If unexpected behavior occurs, see Troubleshooting.

   Click Restart.

   The browser will time out if the target is the Admin UI, though the certificate has been successfully installed. Log back in if that is the case.

9. Validate certificate is active. For example, if the certificate was installed in the Admin UI target, browse to the Administration UI

   https://<FortiNAC hostname secured by certificate>:8443

   Important: Ensure the name used in the URL is the one specified in the certificate.

   Examine the certificate details in the browser (such as the security lock icon or whichever method is offered by that browser).

   If not secure, verify all intermediate and root certificates were included. See related KB article Identify missing SSL certificates via administration UI.

   If unexpected behavior occurs, see Troubleshooting.

Copy Certificate to Other Targets

If the certificate is intended to be used for multiple targets, copy the certificate to the new target:

1. Highlight the target with the desired certificate installed.

2. Click Copy Certificate.

3. Select the new target from the drop-down menu.

4. Click OK.